Top 7 cloud misconfigurations and best practices to avoid them
Cloud security means keeping a close eye on the configuration of cloud resources and assets. These best practices can keep you safe from attackers and other malicious activities.
As organizations use more cloud services and resources, they become responsible for a staggering variety of administrative consoles, assets, services and interfaces. Cloud computing is a large and often interconnected ecosystem of software-defined infrastructure and applications. As a result, the cloud control plane -- as well as assets created in cloud environments -- can become a mishmash of configuration options.
It's all too easy to misconfigure elements of cloud environments and potentially expose the infrastructure and cloud services to malicious activity. In its 2023 "Cloud Threat Report," Palo Alto's Unit 42 research team found 76% of cloud consumers don't enforce multifactor authentication for console users and 58% don't require MFA for users with root and admin privileges.
These kinds of cybersecurity misconfigurations, whether related to identity, exposure, poor vulnerability management or other reasons, can lead to increased risk to cloud deployments of all types.
Let's look at six of the most common cloud configuration misconfigurations and how to resolve them.
1. IAM misconfigurations
Among the catalog of cloud misconfigurations, the first one that trips up cloud tenants is overly permissive identity and access management policies and other poor IAM practices. Cloud environments usually include identities that are human, such as cloud engineers and DevOps professionals, and nonhuman, such as service roles that enable cloud services and assets to interact within the infrastructure. In many cases, multiple nonhuman identities are in place. These frequently have overly broad permissions that could enable unfettered access to more cloud assets than needed.
To combat this issue, be sure to do the following:
- Centralize identity and access wherever possible, and carefully define how to approach the creation and lifecycle of identities and groups. One option is to build and implement centralized cloud IAM teams to focus explicitly on this area of cloud security.
- Enable MFA for all privileged human user accounts.
- Perform regular reviews of all identity roles and policies using cloud-native services, such as AWS IAM Access Analyzer, or third-party products that continually evaluate privileges and flag any excessive privileges.
- Plan for secrets management approaches that include centralized storage and control of access keys, as well as any other secrets, such as passwords.
- Disable all default credentials. This is most important for SaaS and specific types of PaaS and IaaS that use them.
2. Cloud storage and data security misconfigurations
Another common cloud misconfiguration revolves around exposed or poorly secured cloud storage nodes. Organizations might inadvertently expose storage assets, such as storage buckets, to the internet or other cloud services, as well as reveal assets internally. In addition, they often also fail to properly implement encryption and access logging where appropriate.
To ensure cloud storage is not exposed or compromised, security teams should do the following:
- Continually look for any storage nodes labeled as public.
- Monitor all internal storage access patterns to eliminate any unnecessarily overly permissive or exposed access.
- Enable strong encryption and key rotation for sensitive data within cloud storage nodes -- many cloud services enable strong encryption by default.
3. Network access control misconfigurations
Overly permissive cloud network access controls are another area ripe for cloud misconfigurations. These access control lists are policies to apply to cloud subscriptions or individual workloads. This often comes down to unrestricted inbound and outbound Transmission Control Protocol/User Datagram Protocol ports within cloud native access controls models, such as HTTP/HTTPS, which can lead to overly exposed services and workloads.
To mitigate this issue, security and operations teams should review all security groups and cloud firewall rule sets to ensure only the network ports, protocols and addresses needed can communicate. Rule sets should never allow access from anywhere to administrative services running on ports 22 (Secure Shell) or 3389 (Remote Desktop Protocol).
4. Workload and image misconfigurations
Vulnerable and misconfigured workloads and images also plague cloud tenants. In some cases, organizations connect workloads to the internet accidentally or without realizing what services are exposed. This exposure enables would-be attackers to assess these systems for vulnerabilities. Outdated software packages or missing patches are other common issues. Exposing cloud service provider APIs via orchestration tools and platforms, such as Kubernetes, meanwhile, can let workloads be hijacked or modified illicitly.
To address these common configuration issues, cloud and security engineering teams should regularly do the following:
- Update workload images with patches and configuration hardening controls using the Center for Internet Security benchmarks and other industry best practices. Start new and updated workloads using these images.
- Scan and review all workloads for vulnerabilities.
- Ensure cloud orchestration tools and APIs for containers and other PaaS workloads are not exposed and do not provide more access than necessary, particularly on the internet.
- Look for and remediate or replace third-party components and libraries in images and workloads that might be vulnerable.
5. Logging and monitoring misconfigurations
Many organizations don't properly enable logging and monitoring for the right security-related events, ranging from failed authentication to blocked network traffic to unusual use of IAM policies and roles.
Security teams must enable critical logging tools, such as AWS CloudTrail, Azure Monitor and Google Cloud Logging. Exports of data to a cloud or on-premises SIEM system should be relatively easy to enable these days, and it's important to filter out any "noise" events, such as any read-only logs.
Enable additional monitoring tools, such as Amazon CloudWatch, Azure Security Center and Google Cloud Security Command Center, for visibility into what's happening in the cloud environment. Deploying cloud security posture management tools helps with multi-cloud environments.
6. DNS misconfigurations
A common misconfiguration is forgetting to remove unused DNS subdomains or DNS records when no longer needed, which could lead to hijacking and fraud activity. Update DNS records, and change DNS record lifecycles to better manage exposed and available assets.
7. Third-party misconfigurations
The market for third-party platforms in the cloud has grown exponentially with the expansion of large provider marketplace services. While this can greatly improve efficiency and implementation, evaluate these tools and integration elements before rolling them out. Ensure all third-party connections and tools within the cloud environment are secure and updated.
Use guardrail services to solve cloud misconfigurations
Guardrail tools can help companies avoid cloud misconfigurations. The major cloud infrastructure providers offer a variety of background security services, among them logging and behavioral monitoring, to further protect an organization's data.
In some cases, configuring these services is as easy as turning them on. Amazon GuardDuty, Azure Security Center and Google Cloud Security Command Center, for example, begin monitoring cloud accounts within a short time after enabled. Other tools, such as Microsoft Sentinel, Google Chronicle and AWS Security Hub, require some additional configuration and tuning.
While cloud environments can remain safe without using services like these, the more tools an organization puts in place to safeguard its operations, the better chance it has to know if an asset or service is misconfigured.
